> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Monday, 20 August, 2012 16:05
> I create a certificate request that includes -reqexts usr_cert. The [ > usr_cert ] section specifies two additional names. > > I display the request and see them: <snip> > I then sign the request with > Nit: I forgot to say last time, but this doesn't sign the CSR. It creates a cert from the CSR, and signs the cert. The cert is related to the CSR in important ways, but is NOT the same thing. This is a too-common mistake but actually somewhat relevant here. > openssl.exe ca -in MYNOTEBOOK_server.req.pem -config CMC_root_config.cnf > -out MYNOTEBOOK_server.pem -verbose -cert CMC_root.pem -keyfile CMC_root.key.pem > > I see the two alternative names in the verbose output. The signed > certificate issues. But now it's missing the two alternative > names. I see only > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Signature Algorithm: sha1WithRSAEncryption > ca -verbose displays the request and the extension is in the request, but not the cert. The cert is not the request. > How do I get ca to keep my alternative names? > Per 'man ca', in the config file used for 'ca' in the (selected) ca section, copy_extensions = copy or copyall . The manpage warns against the latter, unless you completely trust the source of the requests. Here the source of the requests is yourself and you presumably trust yourself. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
